Local Gradients Smoothing: Defense against localized adversarial attacks

TL;DR

This paper introduces Local Gradients Smoothing (LGS), a novel defense method that effectively mitigates localized adversarial attacks by smoothing high-frequency noise in gradient regions, outperforming existing defenses especially against BPDA attacks.

Contribution

The paper proposes LGS, a new gradient-based smoothing technique that enhances robustness of DNNs against localized adversarial attacks like LaVAN and patches, with minimal impact on salient features.

Findings

LGS outperforms other defenses on ImageNet against localized attacks.

LGS shows high resistance to BPDA attack.

LGS maintains classification accuracy on clean images.

Abstract

Deep neural networks (DNNs) have shown vulnerability to adversarial attacks, i.e., carefully perturbed inputs designed to mislead the network at inference time. Recently introduced localized attacks, Localized and Visible Adversarial Noise (LaVAN) and Adversarial patch, pose a new challenge to deep learning security by adding adversarial noise only within a specific region without affecting the salient objects in an image. Driven by the observation that such attacks introduce concentrated high-frequency changes at a particular image location, we have developed an effective method to estimate noise location in gradient domain and transform those high activation regions caused by adversarial noise in image domain while having minimal effect on the salient object that is important for correct classification. Our proposed Local Gradients Smoothing (LGS) scheme achieves this by regularizing gradients in the estimated noisy region before feeding the image to DNN for inference. We have shown the effectiveness of our method in comparison to other defense methods including Digital Watermarking, JPEG compression, Total Variance Minimization (TVM) and Feature squeezing on ImageNet dataset. In addition, we systematically study the robustness of the proposed defense mechanism against Back Pass Differentiable Approximation (BPDA), a state of the art attack recently developed to break defenses that transform an input sample to minimize the adversarial effect. Compared to other defense mechanisms, LGS is by far the most resistant to BPDA in localized adversarial attack setting.